[ipfw] Add support for masked ip-address lookups
AcceptedPublic
Actions

Authored by lytboris_gmail.com on Tue, Nov 11, 7:21 PM.

Details

Reviewers

melifaro
ae

Summary

Current radix-based implementation of lookup tables in ipfw does not support non-contiguous prefixes while this type of lookup is needed to write CPU-effective firewall configurations.

For some of the cases one can reach the goal using a masked table lookup by:

adding masked (e.g. zero non-significant bits) records into a table
zero non-significant bits in lookup key prior to making a table lookup

Most of the code for this feature was merged by D46183 with bitmask support for numeric (32bit) lookups leaving IP-address lookups out of scope.

This differential adds support for bitmask IP-address lookups as well as documents this feature.

Here's excerpt from man page explaining the feature:

lookup {dst-ip | dst-ip6 | dst-port | dst-mac | src-ip | dst-ip6 |
        src-port | src-mac | uid | jail | dscp | mark}[:bitmask] name
        Search an entry in lookup table name that matches the field
        specified as argument.  If not found, the match fails.
        Otherwise, the match succeeds and tablearg is set to the value
        extracted from the table.

        If an optional 32-bit unsigned bitmask is specified, value of the
        field is altered by bitwize AND with bitmask and resulting value
        is being searched instead of original one.  The bitmask is
        accepted in the following formats:

        1.      A dotted-quad form, e.g. 127.88.34.0

        2.      A number, e.g. 0xf00baa1 or 255

        3.      As an IPv6 address when specified alongwith dst-ip6 or
                src-ip6 field.  If used, the rule will match IPv6 packets
                only.  Internally the bitmask is packed to 32-bit long
                format (see below) so only zero or 0xf values are
                supported in each 4-bit nibble.  E.g.
                ffff:ff00:ffff:ffff:0:0:0:0f0f is a valid bitmask value
                while afff:ff00:ffff:ffff:0:0:0:0f0f is not.

        The bitmask specified for dst-ip or src-ip is applied to an IPv6
        source or destination address as well, each bit in the bitmask
        sets (when 1) or clears (when 0) corresponding 4-bit nibble.
        E.g.  bitmask=0xfcff0005 is applied as
        ffff:ff00:ffff:ffff:0:0:0:0f0f.

        This option can be useful to quickly dispatch traffic based on
        certain packet fields.  The bitmask allows to implement wildcard
        lookups by inserting into table masked prefix and appying bitmask
        upon each lookup.

        Note: dst-mac and src-mac lookups currently do not support
        masking.

        See the LOOKUP TABLES section below for more information on
        lookup tables.

Test Plan

# Configure NAT instances
ipfw nat 10 config ip 192.0.2.0
ipfw nat 11 config ip 192.0.2.1
ipfw nat 12 config ip 192.0.2.2
ipfw nat 13 config ip 192.0.2.3

ipfw table mynats create type addr valtype nat
# Map external NAT address to NAT instance
ipfw table mynats add 192.0.2.0 10
ipfw table mynats add 192.0.2.1 11
ipfw table mynats add 192.0.2.2 12
ipfw table mynats add 192.0.2.3 13

# Map last 2 bits of client's IP address to NAT instance
ipfw table mynats add 0.0.0.0 10
ipfw table mynats add 0.0.0.1 11
ipfw table mynats add 0.0.0.2 12
ipfw table mynats add 0.0.0.3 13

# In -> Out NAT, zero out all bits in a client's IP exept
# 2 least significant prior to table lookup
ipfw add nat tablearg ip from 10.0.0.0/24 to any
			lookup src-ip:0.0.0.3 mynats
# Out -> In NAT
ipfw add nat tablearg ip from any to 192.0.2.0/30
			lookup dst-ip mynats